Develop an offensive capability
Patti Titus, the previous chief information security officer at the Transportation Security Administration, is among a growing number of executives arguing for the development of deterrent capabilities in cyberspace. "What we need to say is, 'We are the U.S., and if you mess with us, you'd better be careful,'" says Titus, who is currently chief information security officer at Unisys Corp.
For too long, the country has been focusing on building a defensive capability that has done little to stop adversaries from infiltrating government networks, supply chain and distribution systems, she says. "It's time to come up with some way of launching back at those that mean to do harm," Titus suggests.
But figuring out the nuances of such a strategy can be tricky, and care needs to be taken, says Kurtz. "There is some real work that needs to be done" on a global basis to think through issues, he says. "What is an act of war in cyberspace? We need to have a far more substantial dialog here in the United States and abroad about what this means," he says, especially because the means to do harm in cyberspace are not restricted just to governments and militaries.
Unlike nation-states that "display fighter planes and battleships as an overt show of force, countries don't brag about their offensive cybercapabilities," says Steven Chabinsky, senior cyberadvisor to the director of national intelligence. "They guard them in a very secretive manner," and there's no telling if they intend to use that capability, says Chabinsky. "In cyber, capabilities tend to get better over time, and intentions can change quickly," he cautions. And there always is the possibility that a nation that wants to do damage can simply hijack or use exploitation capabilities built by others.
"Determining who the attackers are, who the enemies are, is one of the biggest problems we have as a government and in the private sector," says Shawn Carpenter, a former network security analyst at Sandia National Laboratories.
Carpenter was fired in January 2005 for his independent probe of a network security breach at the agency, which he traced back to a Chinese espionage group called Titan Rain, by doing some reverse-hacking of his own. But make no mistake, he says, the enemy is already here, lurking in sensitive systems and networks, in control of large botnets, inside financial systems and the power grid, and it needs to be stopped.
"My definition of a digital Pearl Harbor is where these people are already here. They already have access and are just sort of hanging out maintaining their access for the time when they get some instruction to bring down the system or corrupt information," he says.
Don Tennant contributed to this report.
Next: The fog of (cyber) war